Institutions of learning harbour the brightest and best, but also potentially dangerous minds.

That’s why laying out network security for schools can be a challenge, as one school district in British Columbia discovered.

The IT team at B.C. School District 67 in the Okanagan Skaha area of the province found that some students had installed key loggers on computer terminals they shared with the teaching staff. If you allow an untrusted user on a computer, that device becomes untrusted.-QuinText

Key loggers are software diagnostic tools that capture a user’s keystrokes. The software, which is widely available on the Internet, can pinpoint sources of error in computer systems, but can also be used to obtain passwords and encryption keys.

The IT department that managed some 2,000 desktops, 300 laptops and 350 Citrix-based terminal servers, knew it needed to take extra precautions.

And yet, while tightening security, it could not deny students certain necessary tools and privileges.

For instance, the school district had no intention of restricting over 8,300 students from using USB devices which they have become dependent on for storing assignments and projects.

“Security can’t be a one-size-fits-all solution where end users are so restricted that they can’t do their work,” said Danny Francisco, IT manager for BC School District 67.

The school district’s network had a firewall against external threats, but with so many potential hackers on the campus, the IT team was equally worried about security breaches coming from within. Threats included unauthorized use of applications by students and the hacking into sensitive data.

“Schools are perfect breeding grounds for potential hackers,” said James Quinn, senior research analyst at Info-Tech Research Group Inc. in London, Ont. “When you allow an un-trusted user to log on to a computer, that device potentially becomes an un-trusted device.”

According to Quinn, security risks can be reduced by deploying separate computers for trusted users such a professors, and another set of machines for students.

Under this system, computers used by staff could have greater access to the network, while those used by students would have limited access.

Another solution is to use end-point security applications. “End-point security software acts as a checkpoint between devices and the network,” said Quinn.

If the software senses the device is running an unauthorized application or one that could potentially breach security, the system boots out the device and refers it for quarantine, the Info-Tech analyst said.

The school district approached end-point security system integrator AppSense Ltd. of Daresbury, U.K. in March this year.

The company’s mandate was to toughen server security and increase the ability of the district’s IT team to administer policies and manage user profiles, but at the same time improve user productivity.

In the past, spyware, adware and other malware could easily be introduced into the network, said Martin Ingram, vice-president for product management at AppSense.

“A firewall is rarely enough these days,” Ingram said. He explained that firewalls are often allowed e-mails laced with Trojan viruses to get past and users often boot applications from USB keys that carry malware.

To eliminate spyware and restore the integrity and performance of the terminal servers and desktop, the IT department had to re-image machines every month,” Francisco said.

Going through such a process repeatedly could wreak havoc on any organization’s productivity, according to Joe Greene, vice-president for IT security and research at the Toronto-based consultancy firm IDC Canada Ltd. “Typically, the IT team will have to turn off and clean out every machine infected with a virus,” said Greene.

The process, which could take days or weeks depending on the severity of the attack, holds back productivity of the IT team and the users.

In the case of USB devices, BC School District 67 had only two choices. “IT either had to lock USB devices out completely or allow them to be used by everyone,” said Francisco.

Ingram also said the IT department managed security on its thin clients, desktop and laptop environments separately. There was no central way to administer policies or provide fixes. The school district also had several applications that hogged computing resources resulting in sluggish overall performance, increased support calls and higher management cost.

AppSense deployed two key software products in the districts desktops, laptops and servers.

Application Manager, Ingram said, acted as a filter against malware and unauthorized applications and eliminates the chances of intentional and unintentional breaches.

The software works on a tiered-access system. For instance, if a student tries to download or run an application that is not listed as authorized, Application Manager will prevent the action.

“Even when students try to circumvent security policies they don’t succeed because security is so deep and granular,” said Francisco.

When a user with a higher privileges – such as a professor – attempts the same, he or she would get an onscreen message warning that an authorized application is about to be run. The professor has the option to proceed, or stop and seek advice.

Ingram said this is essential because professors occasionally need to run applications that are new and not yet logged as authorized. Before using AppSense, professors had to wait for two to three weeks to get authorization. Application Manager now allows them to run the application almost immediately. “The new process does not choke productivity,” said Ingram.

AppSense software is ideal for the district’s 300 laptops because it allows users to get the newest policies the moment they reconnect, said Francisco.

“It’s a lot more customized than the built-in Microsoft capabilities.”